bitrat | fe8c9e7b5df84863cebeffb7f7a6a9de7e1cfccce1a0882618438ba16b3b2780

General

Target

76ac21d5d094a33fc1fcc0215bbcc123.exe
Size

4.0MB
MD5

76ac21d5d094a33fc1fcc0215bbcc123
SHA1

03aff12ac59f59a3e1c4c7ee1e79ea5840bc66bb
SHA256

fe8c9e7b5df84863cebeffb7f7a6a9de7e1cfccce1a0882618438ba16b3b2780
SHA512

3508f02a6d96e2988b5a232d44ffc6e7979ce3eb1c7f640417f1b1029f1e0f94f9682d95d72c108a3e2b1d706ce774d6ff140a07e4aa42565604cd2ca9a12612
SSDEEP

98304:YZVblz+5RHSRptwRWNcKr709xNG8W9pIbV50OqnwhIjIlb3r:YZV5zayRQpXi7IbsDNU

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

8.208.27.150:4550

Attributes

communication_password
9996535e07258a7bbfd8b132435c5962
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

76ac21d5d094a33fc1fcc0215bbcc123.exeloader32biut.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	76ac21d5d094a33fc1fcc0215bbcc123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	loader32biut.exe

Executes dropped EXE 1 IoCs

Processes:

loader32biut.exe

pid process

1476 loader32biut.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1476	loader32biut.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

76ac21d5d094a33fc1fcc0215bbcc123.exeloader32biut.exe

description	pid	process	target process
PID 3708 set thread context of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	vbc.exe
PID 1476 set thread context of 1632	1476	loader32biut.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1352 2252 WerFault.exe vbc.exe
792 1632 WerFault.exe vbc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4448 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

76ac21d5d094a33fc1fcc0215bbcc123.exeloader32biut.exe

description pid process

Token: SeDebugPrivilege 3708 76ac21d5d094a33fc1fcc0215bbcc123.exe
Token: SeDebugPrivilege 1476 loader32biut.exe

pid	pid_target	process	target process
1352	2252	WerFault.exe	vbc.exe
792	1632	WerFault.exe	vbc.exe

pid	process
4448	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe
Token: SeDebugPrivilege	1476	loader32biut.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

76ac21d5d094a33fc1fcc0215bbcc123.execmd.exeloader32biut.exe

description	pid	process	target process
PID 3708 wrote to memory of 2888	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	cmd.exe
PID 3708 wrote to memory of 2888	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	cmd.exe
PID 3708 wrote to memory of 2888	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	cmd.exe
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	vbc.exe
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	vbc.exe
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	vbc.exe
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	vbc.exe
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	vbc.exe
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	vbc.exe
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	vbc.exe
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	vbc.exe
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	vbc.exe
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	vbc.exe
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	vbc.exe
PID 3708 wrote to memory of 1084	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	cmd.exe
PID 3708 wrote to memory of 1084	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	cmd.exe
PID 3708 wrote to memory of 1084	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	cmd.exe
PID 3708 wrote to memory of 4584	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	cmd.exe
PID 3708 wrote to memory of 4584	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	cmd.exe
PID 3708 wrote to memory of 4584	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	cmd.exe
PID 1084 wrote to memory of 4448	1084	cmd.exe	schtasks.exe
PID 1084 wrote to memory of 4448	1084	cmd.exe	schtasks.exe
PID 1084 wrote to memory of 4448	1084	cmd.exe	schtasks.exe
PID 1476 wrote to memory of 2080	1476	loader32biut.exe	cmd.exe
PID 1476 wrote to memory of 2080	1476	loader32biut.exe	cmd.exe
PID 1476 wrote to memory of 2080	1476	loader32biut.exe	cmd.exe
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	vbc.exe
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	vbc.exe
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	vbc.exe
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	vbc.exe
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	vbc.exe
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	vbc.exe
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	vbc.exe
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	vbc.exe
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	vbc.exe
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	vbc.exe
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\76ac21d5d094a33fc1fcc0215bbcc123.exe
"C:\Users\Admin\AppData\Local\Temp\76ac21d5d094a33fc1fcc0215bbcc123.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c
2⤵
PID:2888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 188
3⤵
- Program crash
PID:1352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\loader32biut\loader32biut.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\loader32biut\loader32biut.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\76ac21d5d094a33fc1fcc0215bbcc123.exe" "C:\Users\Admin\AppData\Roaming\loader32biut\loader32biut.exe"
2⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2252 -ip 2252
1⤵
PID:2392

C:\Users\Admin\AppData\Roaming\loader32biut\loader32biut.exe
C:\Users\Admin\AppData\Roaming\loader32biut\loader32biut.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c
2⤵
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 188
3⤵
- Program crash
PID:792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1632 -ip 1632
1⤵
PID:2792

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\loader32biut\loader32biut.exe
Filesize
3.3MB

MD5
9b4c6a9506bca6f8a0abe98159f655de

SHA1
c53c926ca0bb1fa785a0033afe8169851cac3384

SHA256
2ef5fe0c4db1286a05258d2db599242af8003d0de56f6d1433d659b094c169b3

SHA512
a3a820333d99fd0d6d43f9b2da19f3d2113bebed6844cb1e87e008d6802eefaf224f3221a76190bcb9a3633571d5a3eac1782d707d54cfab71fc50f7d5aa3d3a

Download Submit
C:\Users\Admin\AppData\Roaming\loader32biut\loader32biut.exe
Filesize
3.4MB

MD5
ec9faa55c94491f49751958c36c57d1d

SHA1
dd29a279a70a62d36ea2e27cf0f77798e898fd90

SHA256
cfa9682303838c843415773a21a39b9b6db33bc018703d01d60dd7ba42f0dcbc

SHA512
8b34b751637472366898783e60175c576aaf9229138dc7e5f8234096c821cbab06aba54d598b3cfb8a549c71c2ac2a41f83855a456269298eb6517b554e0188d

Download Submit
memory/1476-36-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/1476-35-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/1476-23-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/1476-24-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/1476-22-0x0000000000670000-0x0000000000A78000-memory.dmp

Filesize
4.0MB

Download
memory/1632-34-0x0000000000810000-0x0000000000BDE000-memory.dmp

Filesize
3.8MB

Download
memory/1632-30-0x0000000000810000-0x0000000000BDE000-memory.dmp

Filesize
3.8MB

Download
memory/2252-7-0x0000000000EB0000-0x000000000127E000-memory.dmp

Filesize
3.8MB

Download
memory/2252-11-0x0000000000EB0000-0x000000000127E000-memory.dmp

Filesize
3.8MB

Download
memory/2252-15-0x0000000000EB0000-0x000000000127E000-memory.dmp

Filesize
3.8MB

Download
memory/3708-5-0x00000000059F0000-0x00000000059FA000-memory.dmp

Filesize
40KB

Download
memory/3708-17-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/3708-16-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/3708-0-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/3708-4-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/3708-3-0x0000000005A10000-0x0000000005AA2000-memory.dmp

Filesize
584KB

Download
memory/3708-2-0x0000000005FC0000-0x0000000006564000-memory.dmp

Filesize
5.6MB

Download
memory/3708-1-0x0000000000A30000-0x0000000000E38000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads